Hijack This log for a friend

Discussion in 'adware, spyware & hijack cleaning' started by baribunma, May 10, 2004.

Thread Status:
Not open for further replies.
  1. baribunma

    baribunma Registered Member

    Joined:
    May 10, 2004
    Posts:
    1
    Hi Folks,

    I am trying to clean off the spyware and adware from a friend's computer. Her son had installed probably ALL the P2P-ware and games out there. Her machine was almost completely hosed.

    She has XP Home OS (piece of junk). I probably should have just reformatted the thing, but I wanted to preserve any files that she needed. I have been able to clean off most of the malware and adware with a variety of methods (mostly S&D and Ad-Aware), but have NOT been able to get rid of the Look2Me files. They are very persistent.

    Anyway, here is the Hijack This log from her machine:

    ------------------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 6:19:48 PM, on 5/10/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\System32\devldr32.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\NMain.exe
    C:\PROGRA~1\NORTON~3\navw32.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\My Downloads\spyware stoppers\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://69.20.62.53/yyy2.html
    F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [WebInstall2] C:\Documents and Settings\Lynda Pearson\WebInstall.exe /R
    O4 - HKLM\..\Run: [rumnas.exe] C:\WINNT\System32\rumnas.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [version] C:\WINNT\System32\version.exe
    O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Xkej.exe
    O4 - HKLM\..\Run: [cmadl32.exe] C:\WINNT\System32\cmadl32.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Wast] C:\WINNT\Wast
    O4 - HKLM\..\Run: [firc.exe] C:\WINNT\System32\firc.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
    O4 - Global Startup: stamp.dat
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chstfld1.va.home.com
    O17 - HKLM\Software\..\Telephony: DomainName = chstfld1.va.home.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chstfld1.va.home.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chstfld1.va.home.com

    -----------------------------


    NOT EVEN close to understanding what all this means yet. Can anyone out there help me with this? What do I kill here and what do I leave alone?

    Any reliable way to kill Look2Me?

    Thanks a lot -
    Baribunma
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Baribunma,

    Start with this uninstaller (while being online) to get rid of the peper trojan :

    http://www.memorywatcher.com/uninst.exe

    Then have only HijackThis running and fix :

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://69.20.62.53/yyy2.html

    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART

    O4 - HKLM\..\Run: [WebInstall2] C:\Documents and Settings\Lynda Pearson\WebInstall.exe /R
    O4 - HKLM\..\Run: [rumnas.exe] C:\WINNT\System32\rumnas.exe
    O4 - HKLM\..\Run: [version] C:\WINNT\System32\version.exe
    O4 - HKLM\..\Run: [cmadl32.exe] C:\WINNT\System32\cmadl32.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Wast] C:\WINNT\Wast
    O4 - HKLM\..\Run: [firc.exe] C:\WINNT\System32\firc.exe

    Restart PC after doing so in Safe Mode : Here's How and remove (if still present) :

    C:\WINNT\System32\P2P Networking\ <- uninstall via add/remove programs in control panel
    C:\Documents and Settings\Lynda Pearson\WebInstall.exe <- this file
    C:\WINNT\System32\rumnas.exe <- this file
    C:\WINNT\System32\version.exe <- this file
    C:\WINNT\System32\cmadl32.exe <- this file
    C:\Program Files\AutoUpdate\ <- this folder
    C:\WINNT\Wast <- this file
    C:\WINNT\System32\firc.exe <- this file

    Clean temp internet files

    Restart again in normal mode, tell us how it's running so far and repost another log

    Thnx

    Cheers,
     
Thread Status:
Not open for further replies.